Citigroup's Japanese credit card unit said personal information for more than 92,000 of its customers was illegally sold to a third party.
The information exposed included the names, account numbers addresses, phone numbers birthdates, and sex of 92,408 credit card holders, Citi Cards Japan warned in an advisory (PDF) issued …

Accountability??

So Citi will be fined hundreds of millions of dollars and fire a whole bunch of senior management? No? Ah, very well, carry on then.

Clearly losing a bunch of details the first time round did nothing to improve their security. Blaming it on a third party is a cop-out. In the new UK anti-corruption laws, a company is liable if a third party acting on it's behalf is paying bribes. It's up to the company to make sue that it's partners are also in compliance.

Should be the same with data protection. If I entrust my customers' data to a third party, it's my responsibility to ensure that data is safe. If I'm not happy with their protections, I don't pass any data on to them.